T1680 Microsoft Sentinel · KQL

Detect Local Storage Discovery in Microsoft Sentinel

This detection identifies adversary attempts to enumerate local drives, disks, volumes, and storage attributes across Windows, Linux, macOS, and ESXi platforms. Attackers use tools such as wmic logicaldisk, Get-PSDrive, lsblk, fdisk, diskutil, esxcli, and cloud CLI commands to gather disk size, free space, volume serial numbers, and partition layouts. Storage discovery is a critical precursor to ransomware encryption (to identify all encryptable volumes), lateral movement targeting network shares, and direct volume access attacks. Groups like TeamTNT and malware families including Cuba ransomware and ZeroCleare have demonstrated this behavior in production incidents.

MITRE ATT&CK

Tactic
Discovery
Technique
T1680 Local Storage Discovery
Canonical reference
https://attack.mitre.org/techniques/T1680/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let StorageDiscoveryPatterns = dynamic(["logicaldisk", "diskdrive", "win32_volume", "win32_logicaldisk"]);
let PSStorageCmdlets = dynamic(["Get-PSDrive", "Get-Disk", "Get-Volume", "Get-Partition", "Get-PhysicalDisk", "Get-StoragePool"]);
let LinuxStorageCmds = dynamic(["lsblk", "fdisk", "parted", "lshw", "blkid", "lvdisplay", "pvdisplay", "vgdisplay"]);
let CloudStorageCmds = dynamic(["describe-volumes", "describe-instances", "disks list", "disk list"]);
DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where (
    (FileName =~ "wmic.exe" and ProcessCommandLine has_any (StorageDiscoveryPatterns))
    or (FileName =~ "wmic.exe" and ProcessCommandLine has "volume" and ProcessCommandLine has "get")
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PSStorageCmdlets))
    or (FileName =~ "diskpart.exe" and ProcessCommandLine has_any ("list disk", "list volume", "list partition"))
    or (FileName =~ "fsutil.exe" and ProcessCommandLine has "fsinfo")
    or (FileName =~ "mountvol.exe")
    or (FileName in~ ("lsblk", "fdisk", "parted", "lshw", "blkid", "df") and ProcessCommandLine has_any (LinuxStorageCmds))
    or (FileName =~ "diskutil" and (ProcessCommandLine has "list" or ProcessCommandLine has "info"))
    or (FileName =~ "system_profiler" and ProcessCommandLine has "SPStorageDataType")
    or (FileName =~ "esxcli" and ProcessCommandLine has "storage")
    or (FileName in~ ("aws", "gcloud", "az") and ProcessCommandLine has_any (CloudStorageCmds))
)
| where InitiatingProcessFileName !in~ ("msiexec.exe", "MsMpEng.exe", "svchost.exe", "services.exe")
| project TimeGenerated, DeviceName, AccountName, AccountDomain,
    FileName, ProcessCommandLine, FolderPath,
    InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName,
    ProcessId, InitiatingProcessId
| extend RiskIndicator = case(
    ProcessCommandLine has "wmic" and ProcessCommandLine has "logicaldisk", "WMIC LogicalDisk Enumeration",
    ProcessCommandLine has_any (PSStorageCmdlets), "PowerShell Storage Cmdlet",
    ProcessCommandLine has "diskpart", "DiskPart Storage Enumeration",
    ProcessCommandLine has "esxcli" and ProcessCommandLine has "storage", "ESXi Storage Enumeration",
    ProcessCommandLine has_any (CloudStorageCmds), "Cloud Volume Enumeration",
    "Generic Storage Discovery"
)
| order by TimeGenerated desc
medium severity medium confidence

Detects process execution patterns consistent with local storage enumeration across Windows (wmic logicaldisk, PowerShell Get-PSDrive/Get-Disk, diskpart, fsutil), Linux (lsblk, fdisk, parted, lshw), macOS (diskutil, system_profiler SPStorageDataType), ESXi (esxcli storage), and cloud CLI (aws describe-volumes, gcloud compute disks list, az disk list). Filters common system processes that legitimately invoke these utilities to reduce noise.

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Backup agents (Veeam, Commvault, Veritas) routinely enumerate disk volumes before backup operations
  • System administration scripts and IT automation tools (Ansible, Chef, Puppet) checking disk capacity for health monitoring
  • Windows disk cleanup utilities and OS maintenance tasks invoking fsutil or wmic for storage information
  • Cloud management platforms and orchestration tools (Terraform, Packer) enumerating volumes during provisioning
  • Storage monitoring agents and SIEM forwarders checking disk free space for alerting thresholds
Download portable Sigma rule (.yml)

Other platforms for T1680

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 6 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows WMIC LogicalDisk Enumeration

    Expected signal: DeviceProcessEvents: FileName=wmic.exe, ProcessCommandLine contains 'logicaldisk get'. Security Event 4688 if process creation auditing enabled. Sysmon EventCode=1 with full command line.

  2. Test 2PowerShell Storage Enumeration via Get-Disk and Get-Volume

    Expected signal: DeviceProcessEvents: FileName=powershell.exe, ProcessCommandLine contains 'Get-Disk' and 'Get-Volume'. PowerShell Script Block Logging (Event 4104) will record the script block if enabled. Sysmon EventCode=1.

  3. Test 3DiskPart Volume and Disk Listing

    Expected signal: DeviceProcessEvents: FileName=diskpart.exe with /s flag and temp file path. DeviceFileEvents: temp script file creation in %TEMP%. Security Event 4688 or Sysmon EventCode=1.

  4. Test 4Linux Block Device Enumeration

    Expected signal: Syslog or auditd EXECVE records for lsblk, fdisk, df, blkid. auditd: type=EXECVE msg containing lsblk and fdisk arguments. bash history update.

  5. Test 5ESXi Storage Enumeration via esxcli

    Expected signal: ESXi shell.log (/var/log/shell.log): command execution entries for esxcli storage filesystem list and vim-cmd. Syslog entries if syslog forwarding is configured to a SIEM.

  6. Test 6AWS Cloud Volume Discovery

    Expected signal: AWS CloudTrail: DescribeVolumes and DescribeInstances API calls with sourceIPAddress, userIdentity.arn, and eventTime. CloudTrail log should appear in S3 bucket within 15 minutes.

Last updated: 2026-03-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1680 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1006Direct Volume AccessT1486Data Encrypted for ImpactT1083File and Directory DiscoveryT1057Process DiscoveryT1082System Information DiscoveryT1490Inhibit System RecoveryT1059.001PowerShellT1059.003Windows Command ShellT1059.012Hypervisor CLI

Same Tactic: Discovery

Popular Detections